Jump to content


Photo

About Blank ....gonna scream


  • Please log in to reply
14 replies to this topic

#1 someclue

someclue

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 22 May 2004 - 03:55 AM

I have run all the programmes from reading the board, adaware, cwsshredder etc etc, i have read the other posts and there fixes. I have tried following their suggestions, have downloaded reglite, I have tried to paste, it wouldnt take.I even posted to this earlier and no one helped me, I am again enclosing the hijack this log and the find all log...pppplease someone help me, I am about to revert to stone and chisel thxs Karen


Logfile of HijackThis v1.97.7
Scan saved at 1:43:14 AM, on 5/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\EtyapiOy.exe
C:\WINNT\system32\NlzBH.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\fhpdaba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\fhpdaba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\fhpdaba.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\fhpdaba.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\fhpdaba.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\fhpdaba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {1FBB5754-2DFF-4D43-93C8-F285EA5F0457} - (no file)
O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\YmxB.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"

and this



--==***@@@ 'FIND-ALL' VERSION 6.1 -5/21 @@@***==--


Sat May 22 01:45:40 2004 -- Results:
*System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "Local Disk" (7C29:6036) - FS:NTFS clusters:512
Total: 19 995 622 912 [19G] - Free: 15 067 545 088 [14G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q321120"=""
"ESB{FC5C6C50-B66F-4BCE-BBAE-57B4140BCBC0}"=""


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINNT\System32\msjava.dll


*PC uptime:
1:45am up 0 days, 16:42

*Locked or 'Suspect' file(s) found...
\\?\C:\WINNT\System32\D3DNFML.DLL +++ File read error
\\?\C:\WINNT\System32\D3DNFML.DLL +++ File read error
Invalid search path


*Tasks (services):
0 System Process
8 System
160 SMSS.EXE
184 CSRSS.EXE Title:
204 WINLOGON.EXE Title: NetDDE Agent
240 SERVICES.EXE Svcs: Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,M
ssenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi
252 LSASS.EXE Svcs: Netlogon,PolicyAgent,SamSs
452 SVCHOST.EXE Svcs: RpcSs
484 spoolsv.exe Svcs: Spooler
556 ati2evxx.exe Svcs: Ati HotKey Poller
584 CISVC.EXE Svcs: cisvc
604 SVCHOST.EXE Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
644 InoRpc.exe Svcs: InoRPC
684 InoRT.exe Svcs: InoRT
704 InoTask.exe Svcs: InoTask
776 LogWatNT.exe Svcs: LogWatch
872 regsvc.exe Svcs: RemoteRegistry
896 mstask.exe Svcs: Schedule
972 SVCHOST.EXE Svcs: wuauserv
1072 explorer.exe Title: Program Manager
1428 IEXPLORE.EXE Title:
1208 EtyapiOy.exe Title:
1256 NlzBH.exe Title:
1544 IEXPLORE.EXE Title: SWI Forums -> Malware Removal - Microsoft Internet Explorer
1288 WINZIP32.EXE Title: WinZip - Find-All.zip
100 CMD.EXE Title: C:\WINNT\system32\cmd.exe
1396 NTVDM.EXE
1524 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FBB5754-2DFF-4D43-93C8-F285EA5F0457}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{86C01FCC-EDA1-4F8A-86FC-ED45049DCEEB}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{86C01FCC-EDA1-4F8A-86FC-ED45049DCEEB}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"

*Security settings for 'Windows' key:


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


*ACLs list for *.* in 'junk' folder: (if exist)

Error: Cannot open file [C:\junk\*.*]
*Contents of file(s) in 'junk' folder:

Sat May 22 01:45:47 2004 -- *Find-All 'Windows'.hiv list:
A C:\unzipped\Find-All\Find-All\winBackup.hiv
A C:\unzipped\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv


#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 22 May 2004 - 04:09 AM

Karen,
A couple of problems here .....

1) You also have another trojan running ...
2) Your HijackThis log is incomplete ...

1) Uninstall Peper Trojan
http://mjc1.com/file...ts/drpeper.html
Note: make sure you are online when run, then reboot.

2) Post a fresh (complete) log
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 someclue

someclue

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 22 May 2004 - 12:48 PM

thxs Win, I did what you suggested and here is a fresh post

Logfile of HijackThis v1.97.7
Scan saved at 10:33:30 AM, on 5/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\Itesz6x.exe
C:\WINNT\system32\Rnz8N.exe
C:\hijack\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cfc.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cfc.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cfc.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cfc.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cfc.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cfc.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\Yfk8.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"

Thxs Karen

#4 someclue

someclue

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 22 May 2004 - 12:51 PM

i also downloade reglite and tried to post the address as mentioned in other fixes and I get an error copying
Karen

#5 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 22 May 2004 - 02:10 PM

Karen,
Your log is still incomplete ....

Well let's try this anyway ... starting from the begining.

Tools and Downloads required:

Download: "Find-All.zip"
http://www10.brinkst...last/pvtool.htm
Unzip but do not do anything yet, it will be needed later.

Download: "SALAMAND.zip"
http://www10.brinkst...last/pvtool.htm
Unzip but do not do anything yet, it will be needed later.

Download and install: (freeware)
Registrar Lite: http://www.resplendence.com/reglite

Download: CWShredder
http://www.spywarein.../hijackthis.zip
Unzip, but do not run it yet, it will be needed later.

Download: Ad-Aware
http://www.lavasoft....ftware/adaware/
Install, but do not run it yet, it will be needed later.

Download: SpyBot-Search & Destroy 1.3
http://majorgeeks.co...wnload2471.html

[Step 1]

Hint: you may want to print this out to avoid mistakes.

Open Reglite, copy and paste the below into the address bar, hit "Go" button:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs


Double-click the "AppInit_Dlls" entry (right pane)
Copy and paste in your next post the following fields:
-Size
-Value
Close Reglite


Next: Locate and double-click the (included in Find-All.zip) "Find-All.bat"
When completed, generates "output.txt"
Copy and Paste the entire contents of "output.txt" into your next post.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#6 someclue

someclue

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 23 May 2004 - 11:23 PM

Mike,

I am truly sorry I am begining to feel like a real idiot, I did as you suggested and got all of those programmes again. I was unable to copy your quote into reglite so typed it in and I didnt get anywhere where I could double click on AppInit_DLLs,
I got these folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\HTML Help
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ITStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\\(default)

Now if I open Current Version undere a new window I get many folders and file and the only reference to DLL's is a folder called Shared DLL's

I have a new output Log not sure if its going to help


==***@@@ 'FIND-ALL' VERSION 7 -5/24 @@@***==--


Sun May 23 21:05:02 2004 -- Results:
*System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "Local Disk" (7C29:6036) - FS:NTFS clusters:512
Total: 19 995 622 912 [19G] - Free: 15 021 566 464 [14G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q321120"=""
"ESB{FC5C6C50-B66F-4BCE-BBAE-57B4140BCBC0}"=""


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINNT\System32\msjava.dll


*PC uptime:
9:05pm up 1 day, 11:44

*Locked or 'Suspect' file(s) found...
\\?\C:\WINNT\System32\D3DNFML.DLL +++ File read error
\\?\C:\WINNT\System32\D3DNFML.DLL +++ File read error


*Tasks (services):
0 System Process
8 System
160 SMSS.EXE
184 CSRSS.EXE Title:
204 WINLOGON.EXE Title: NetDDE Agent
240 SERVICES.EXE Svcs: AppMgmt,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,L
Hosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi
252 LSASS.EXE Svcs: Netlogon,PolicyAgent,SamSs
448 SVCHOST.EXE Svcs: RpcSs
480 spoolsv.exe Svcs: Spooler
552 ati2evxx.exe Svcs: Ati HotKey Poller
576 CISVC.EXE Svcs: cisvc
596 SVCHOST.EXE Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
640 InoRpc.exe Svcs: InoRPC
680 InoRT.exe Svcs: InoRT
700 InoTask.exe Svcs: InoTask
772 LogWatNT.exe Svcs: LogWatch
836 regsvc.exe Svcs: RemoteRegistry
864 mstask.exe Svcs: Schedule
940 SVCHOST.EXE Svcs: wuauserv
1052 explorer.exe Title: Program Manager
1240 IEXPLORE.EXE Title:
1296 realsched.exe Title: Notification Wnd for RNAdmin
1576 IEXPLORE.EXE Title: SWI Forums -> About Blank ....gonna scream - Microsoft Internet Explorer
1456 IEXPLORE.EXE Title: SWI Forums -> About Blank ....gonna scream - Microsoft Internet Explorer
1444 Itesz6x.exe Title:
344 Rnz8N.exe Title:
1564 rl.exe Title: Registrar
1268 WINZIP32.EXE Title: WinZip - Find-All.zip
1132 CMD.EXE Title: C:\WINNT\system32\cmd.exe
1460 NTVDM.EXE
1084 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76741787-C95A-4E5B-9979-731082E8A167}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{6298DB0D-2094-4CBB-BAA8-51135899F70F}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{6298DB0D-2094-4CBB-BAA8-51135899F70F}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"

*Security settings for 'Windows' key:


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


*ACLs list for *.* in 'junk' folder: (if exist)
*Contents of file(s) in 'junk' folder:

Sun May 23 21:05:08 2004 -- *Find-All 'Windows'.hiv list:
A C:\unzipped\Find-All\Find-All\winBackup.hiv
A C:\unzipped\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv



I am feeling pretty useless at this point
Thxs Kar

#7 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 24 May 2004 - 03:07 AM

Hi,

I was unable to copy your quote into reglite

Why? that should Paste as all one line ... I just tried it again and it works fine.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs


Even if you typed it in (exactly!) it will take you there. Or manually by clicking the "+" next to each section (left pane)
+HKEY_LOCAL_MACHINE
+SOFTWARE
+Microsoft
+Windows NT
>+CurrentVersion
>>Windows

Then the "AppInit_DLLs" entry should be in the right pane.
With the "Windows" key highlighted in the left pane. Then follow the above directions. You can do this!
{insert vote of confidence here}
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#8 someclue

someclue

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 24 May 2004 - 01:42 PM

thanks for the vote of confidence....I followed your other instructions and just kept clicking away at the folders and viola.

-Size REG_SZ
-Value C:\WINNT\system32\d3dnfml.dll


thanks for your patience


Karen

and output text as follows

==***@@@ 'FIND-ALL' VERSION 7 -5/24 @@@***==--


Sun May 23 21:05:02 2004 -- Results:
*System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "Local Disk" (7C29:6036) - FS:NTFS clusters:512
Total: 19 995 622 912 [19G] - Free: 15 021 566 464 [14G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q321120"=""
"ESB{FC5C6C50-B66F-4BCE-BBAE-57B4140BCBC0}"=""


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINNT\System32\msjava.dll


*PC uptime:
9:05pm up 1 day, 11:44

*Locked or 'Suspect' file(s) found...
\\?\C:\WINNT\System32\D3DNFML.DLL +++ File read error
\\?\C:\WINNT\System32\D3DNFML.DLL +++ File read error


*Tasks (services):
0 System Process
8 System
160 SMSS.EXE
184 CSRSS.EXE Title:
204 WINLOGON.EXE Title: NetDDE Agent
240 SERVICES.EXE Svcs: AppMgmt,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,L
Hosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi
252 LSASS.EXE Svcs: Netlogon,PolicyAgent,SamSs
448 SVCHOST.EXE Svcs: RpcSs
480 spoolsv.exe Svcs: Spooler
552 ati2evxx.exe Svcs: Ati HotKey Poller
576 CISVC.EXE Svcs: cisvc
596 SVCHOST.EXE Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
640 InoRpc.exe Svcs: InoRPC
680 InoRT.exe Svcs: InoRT
700 InoTask.exe Svcs: InoTask
772 LogWatNT.exe Svcs: LogWatch
836 regsvc.exe Svcs: RemoteRegistry
864 mstask.exe Svcs: Schedule
940 SVCHOST.EXE Svcs: wuauserv
1052 explorer.exe Title: Program Manager
1240 IEXPLORE.EXE Title:
1296 realsched.exe Title: Notification Wnd for RNAdmin
1576 IEXPLORE.EXE Title: SWI Forums -> About Blank ....gonna scream - Microsoft Internet Explorer
1456 IEXPLORE.EXE Title: SWI Forums -> About Blank ....gonna scream - Microsoft Internet Explorer
1444 Itesz6x.exe Title:
344 Rnz8N.exe Title:
1564 rl.exe Title: Registrar
1268 WINZIP32.EXE Title: WinZip - Find-All.zip
1132 CMD.EXE Title: C:\WINNT\system32\cmd.exe
1460 NTVDM.EXE
1084 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76741787-C95A-4E5B-9979-731082E8A167}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{6298DB0D-2094-4CBB-BAA8-51135899F70F}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{6298DB0D-2094-4CBB-BAA8-51135899F70F}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"

*Security settings for 'Windows' key:


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


*ACLs list for *.* in 'junk' folder: (if exist)
*Contents of file(s) in 'junk' folder:

Sun May 23 21:05:08 2004 -- *Find-All 'Windows'.hiv list:
A C:\unzipped\Find-All\Find-All\winBackup.hiv
A C:\unzipped\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv


#9 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 24 May 2004 - 02:06 PM

Hi,
[Step 2]

Open Reglite, copy and paste the below into the address bar, hit "Go" button:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs


(or do the above manually)

Rename the highlighted "Windows" key (left pane)
To rename: Right-click and select: Rename
(type) NoWindows

Next: Double-click "AppInit_DLLs" again (right pane)
Clear (delete) the "Value" containing the d3dnfml.dll and click "Apply", then Ok.

IMPORTANT: Rename the "NoWindows" key (left pane)
To rename: Right-click and select: Rename
(type) "Windows" (no quotes) and close Registrar Lite.

Next: Reboot, IMPORTANT: do not do anything else just reboot.


[Step 3]

Open Salamand.exe included in "SALAMAND.zip"
Follow these menu options exactly as described:

Click the "Left" menu item (top left)
Select: "Change Drive", select: C:

Click the "Right" menu item (top right)
Select: "Change Drive", select: C:

Click the "Commands" menu item
Select: "Create Directory"
(type) junk and press Ok

Click the "Options" menu item
Select: "Command Line"

Click the "Commands" menu item
Select: "Change Directory"
(type) C:\WINNT\system32 and press Ok

Click the "Commands" menu item again
Select: "Find Files", then click the "Edit" button.

In the "Search for" box (type) d3dnfml.dll press Ok
Note: uncheck "include subdirectories" option
Press "Start" (bottom left)

On "file found" press "Focus" button

Next: click "Files" menu item (up top)
Select: "Move\Rename" (type) C:\junk and press Ok.

[Step 4]

Locate: "xfix.bat" included in the Find-All.zip

Double click on it once, it should clean/restore the key.
(though nothing would appear to happen)

Run the "Find-All.bat" again and post the "output.txt" results.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#10 someclue

someclue

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 24 May 2004 - 08:22 PM

I have tried 4 X to post the ouput log and I get a Microsoft Windows error and it closes me out of the net

so I cant add it for some stupid reason

#11 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 24 May 2004 - 08:38 PM

Hi,
I have no idea why you got that error since you were able to post the same results before ... hmm? Well since you didn't mention whether things went well with the above steps, I'll post the rest of it ...

[Step 5]

Open Salamand again
Click the "Left" menu item (top left)
Select: "Change Drive", select: C:

The bottom Address Bar should show: C:\>

Copy and Paste the following 2 commands, one at a time, press Enter.
Important: Close the prompt box after each command return.
Note: You should get (processed..) confirmation on first, and nothing on the second.

Command 1:

cacls %SYSTEMDRIVE%\junk\*.dll /t /e /g Administrators:f & cacls %SYSTEMDRIVE%\junk /t /e /g Administrators:f


Note: both of these lines in bold are all one line.

Command 2:

attrib -r \\?\%SYSTEMDRIVE%\junk\*.dll & ren \\?\%SYSTEMDRIVE%\junk\*.dll *.111


Close Salamand, open Windows Explorer and delete the C:\Junk folder.

Next, run CWShredder, Ad-Aware and\or SpyBot and post a fresh log.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#12 showhost

showhost

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 24 May 2004 - 10:26 PM

Hi someclue or anyone else who will take a moment to answer......

Have been reading your thread with interest as I too am having similar problems. I'm hoping you might be able to help me with a basic question (about forum procedure) as you seem to have figured it out already.

When you begin an exchange of dialogue (especially with one person like WinHelp 2002 has done for you), how does that person know you have responded to their response? A member responded to my initial posting and I simply then replied to that but does he know that I have replied? Is he flagged somehow that I have answered him (as I have elected to do by ticking-off yes to e-mail notification)?

Can you let me know the answer to this basic question which is impeding me getting my posting responded to.

Thanks so much. I will check on this thread to see if you have posted a reply.

showhost

Edited by showhost, 24 May 2004 - 10:40 PM.


#13 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 25 May 2004 - 02:54 AM

showhost,
To answer your question ... yes most of us hit the "Track this Topic" so we will know when someone has responded to the post. I looked at your log and posted a reply ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#14 someclue

someclue

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 26 May 2004 - 12:47 AM

thanks so much for all your help I am sorry I wasnt able to get back to you. I think I have it all cleaned out but I still have that pepper trojan. t tried the link you gave me and I downloaded it and i get the following message: attempt to access invalid address

Not sure what that is about thxs Karen

#15 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 26 May 2004 - 05:05 AM

someclue,

but I still have that pepper trojan

Uninstall Peper Trojan
http://mjc1.com/file...ts/drpeper.html
Note: make sure you are online when run, then reboot.
Then run it again and reboot ...

I'm not sure why you are getting an error? Were you "online" when you ran the program? or maybe a bad download? Try it again and let me know.

After the above and a reboot post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button